With every major innovation the security community comes up with, the general public and vendors alike figure out a way to abuse that innovation or work around it to do what they originally wanted to do again - think firewalls and tunneling over port 80...

There are a ton of sites these days that use load-balancers in front of them. There’s a few ways they can be installed - completely transparent or acting more like a proxy. The proxy is the more common setup but it has one pretty huge negative side-effect, all the IP addresses come to the server as just one - the internal IP of the load balancer.

It turns out you can create a single chassis that contains around 67 terabytes in it for $7,867. That’s pretty incredible...It almost doesn’t make any cost sense to outsource your storage to the cloud with those cost savings.

Buying a certificate to allow for transport security is a good idea if you’re worried about man in the middle attacks. But when you’re in another country where the cost of running your website is a significant investment compared to the United States, suddenly the fees associated with the risks are totally lopsided...

Flash’s settings are very often scoped to the domain rather than the app. Although currently allowing Flash access to camera and microphone isn’t all that common, if it ever did become common using XSS would be a pretty interesting tactic...

Oracle just released the July 2010 Critical Patch Update (CPUJul2010). This Critical Patch Update (CPU) is the second one to include fixes for the Oracle (formerly Sun) Solaris product line and includes 59 security updates

I thought this is a very interesting title for discussion but the whole idea is to debate on whether "you can" or "you can't hide". Now that the hackers around the globe have more sophisticated Hack tools under their belt, spoofing your identity has become even more easier than ever.

Vulnerabilities in websites happen, especially the ever pervasive Cross-Site Scripting (XSS). Essentially every major website has had to deal with XSS vulnerabilities published publicly or otherwise. This also includes security companies. No one is perfect, no website has proven immune, ours included. As experts in Web application security and specifically XSS, yesterday even we took our turn. W...

Oracle just released a Security Alert to announce the availability of fixes for two vulnerabilities (CVE-2010-0886 and CVE-2010-0887) affecting Oracle Java SE and Oracle Java For Business. Both vulnerabilities only affect Java when running in a 32-bit web browser. These vulnerabilities are not present in Java running on servers or standalone Java desktop applications and do not impact any Oracle s...

Recently, My gmail account was hacked by some botnet which sent out e-mails to all my contact asking them to check out a website. I only realized this when I checked my gmail "Sent Mail" folder and had to immediately send a warning message to all my contacts telling them that my account was hacked and not to click on any links from my previous mails.

With the impending release of Fierce 2.0 I thought I’d spend a minute talking about finding high value targets. I was working with a company in a specific vertical when I realized they use a very large single back end provider (essentially a cloud-based SaaS). But they aren’t the only large company using that SaaS - there are many hundreds of other companies using them as well.

Did you hear the news? CSRF isn’t a big deal. I just got the memo too! There were a few posts pointing me to an article on the fact that CSRF isn’t that big of a deal. Fear not, I am here to lay the smack down on this foolishness. To be fair, I have no idea who this guy is, and maybe he’s great at other forms of hacking - web applications just don’t happen to be his strong ...

The CSS history hack is soon going to close. If you look at the original Bugzilla thread this is something that Mozilla had marked as a P1 bug since 2002. You heard me right, this P1 bug has been open for 8 years. And here we are, on the cusp of an actual fix.

From the Mozilla Security Blog - We’re close to landing some changes in the Firefox development tree that will fix a privacy leak that browsers have been struggling with for some time. We’re really excited about this fix, we hope other browsers will follow suit. It’s a tough problem to fix, though, so I’d like to describe how we ended up with this approach.

Remember the Astroglide breach, when customers who ordered samples of the lubricant had their personal details exposed online? Now there are allegations that Durex condom orders were leaking on the web.